This Data Processing Addendum including appendices and references (“DPA”) forms part of the Agreement (as defined below) between
(1) Paligo AB, a company incorporated and organized under the laws of Sweden with corporate registration number 559021-1537 (“Paligo”); and
(2) The customer outlined in the Agreement with Paligo (the “Customer”).
Each of Paligo and the Customer is referred to as a “Party” and together as the “Parties”.
1. Background
1.1 The parties have entered into a main agreement, i.e. a Master Services Agreement or Terms of Use (“Agreement”) regarding provision of the Paligo component content management system (CCMS) solution for technical documentation, policies and procedures, and knowledge management (hereinafter referred to as the “Service”).
1.2 In conjunction with the provision of the Service under the Agreement, Paligo may process Personal Data as a Data Processor on behalf of the Customer as the Data Controller. Therefore, and in order to ensure compliance with Applicable Law, the Parties have agreed to enter into this DPA.
1.3 The Agreement with appendices set out commercial details about the parties and the details on provision of the Service. This DPA supplements the Agreement and is regulating only the processing of Personal Data carried out by Paligo as a Data Processor to the Customer. The most recent version of the DPA is published on Paligo’s website and shall automatically apply between the Parties, unless a signed and duly executed version is previously agreed.
2. Definitions and interpretation
2.1 Defined terms used in this DPA shall have the meaning set out in the Agreement, unless explicitly defined otherwise herein. The term ‘Personal Data’ shall mean the personal data as defined in the GDPR and processed by Paligo as a Data Processor to Customer, as further outlined in the Instruction. The terms, ‘data breach’, ‘data subject’ etc. shall have the meanings given to them within the GDPR.
2.2 The following terms shall have the following meanings in this DPA.
“Data Controller” means the Customer, which determines the purposes and means of processing Relevant Personal Data in the Features.
“Data Processor” means Paligo, which processes personal data on behalf of the Customer when providing the Service.
“DPA” means this Data Processing Addendum between Paligo and the Customer.
“Instruction” means the instruction in Appendix 1 from the Customer as the Data Controller to Paligo as the Data Processor to process Personal Data in the Service.
“Personal Data” means the personal data specified in the Instruction relating to data subjects that are processed by Paligo as Data Processor for the Customer to provide the Service.
“Privacy Laws” means the laws applicable to the processing of Personal Data under this DPA, such as the General Data Protection Regulation (EU 2016/679) (“GDPR“) and other laws on data protection and personal data processing applicable to the Agreement.
“Standard Contractual Clauses” or “SCCs” means:
a) Regarding the GDPR, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”);
b) Regarding the UK GDPR, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK SCCs”); and
c) Regarding the Swiss Data Protection Act, the Standard data protection clauses recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”).
3. Term
3.1 This DPA commences on the same date as the Agreement and continues to be in effect for the duration of the Agreement (including any agreement replacing the Agreement regarding provision of the Service), unless terminated in accordance with the terms of the DPA. This DPA shall remain in effect for as long as Paligo processes Personal Data subject to this DPA, notwithstanding the expiration or termination of the Agreement.
3.2 Paligo may terminate this DPA by giving at least ninety (90) days’ written notice to the Customer.
4. Documents
4.1 The DPA consists of this main document, the Instruction, the list on sub-processors available via link and the referenced SCCs (if and as applicable).
4.2 In the event of any contradictions between this DPA and the Instruction, the DPA shall take precedence. The SCC shall prevail over the DPA and the Instruction solely with respect to transfer of Personal Data from the EEA to a third country that does not offer an adequate level of data protection. This DPA shall take precedence over the Agreement in matters relating to the processing of Personal Data carried out under the DPA.
5. Processing of personal data
5.1 The Customer is the Data Controller and Paligo is the Data Processor for the processing of Personal Data explicitly described in this DPA. In its capacity as Data Processor, Paligo shall process Personal Data in Customer Data on behalf of the Customer in accordance with the DPA, the Instruction, the GDPR, and Privacy Laws.
5.2 When processing Personal Data, Paligo shall comply with the Instruction. Customer may issue additional instructions to Paligo, provided that they are legally required, technically feasible, reasonable and do not require any changes to the Service. If Paligo is unable to comply with an additional instruction, it shall immediately notify the Customer.
5.3 As Data Controller, the Customer guarantees that the processing activities to be carried out are lawful, that a legal basis and specific purpose are in place, and that information has been given to data subjects related to the Customer, to allow for transfer of the Personal Data to Paligo for provision of the Service.
5.4 Taking into account the nature of the processing, Paligo shall, through appropriate technical and organisational measures, assist the Customer, to the extent possible, so that the Customer can fulfil its obligation to respond to requests regarding exercise of the rights of the data subject in accordance with Chapter III of the GDPR.
5.5 If Paligo believes that the Instruction, other instruction or communication from the Customer is in breach of the GDPR or other Privacy Laws, Paligo shall immediately notify the Customer and suspend the processing in question until the Customer has given instructions to Paligo on how to proceed with the processing.
5.6 Paligo shall ensure that persons authorized by Paligo to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Security
6.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, purposes and type of processing, the information in possession of Paligo as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Paligo shall implement and maintain appropriate technical and organisational security measures to protect the Personal Data pursuant to Article 32 of the GDPR.
6.2 The measures implemented by Paligo are outlined in the Instruction. The Customer acknowledges and agrees on the technical and organisational measures described in the Instruction and deems the measures sufficient for the processing of Personal Data by Paligo in conjunction with provision of the Service. Paligo is expressly allowed by the Customer to implement and maintain alternative measures that achieve an equivalent or higher level of security than instructed by the Customer.
6.3 The Service is not suitable for the processing of Special Categories of Personal Data as defined in Article 9 of the GDPR. Accordingly, the Customer shall not instruct Paligo to process any such Personal Data in connection with the Service. The Customer acknowledges and agrees that it is solely responsible for ensuring that the data provided to Paligo does not include any such Personal Data.
7. Data breach
7.1 Taking into account the type of processing and the information available to Paligo, Paligo shall provide reasonable assistance to the Customer in ensuring that the obligations in connection with a Data Breach can be fulfilled in the manner which follows from Articles 33–34 of the GDPR.
7.2 Paligo shall notify the Customer without undue delay after Paligo becomes aware of a Data Breach. Email to Customer’s registered email address with Paligo shall be deemed sufficient as a notification.
8. IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 Paligo shall, taking into account the nature of the processing and the information available to Paligo, provide reasonable assistance to the Customer in fulfilling Customer’s obligations, if any, regarding the performance of a data protection impact assessment and/or prior consultation with a supervisory authority in accordance with Articles 35–36 of the GDPR.
9. Instruction
9.1 The Personal Data processing performed by Paligo on behalf of the Customer is described in Annex 1 to this DPA. The Customer acknowledges and agrees that the aforementioned description together with this DPA is the complete Instruction from the Customer to Paligo.
9.2 Paligo may process the Personal Data only in furtherance of the purpose of the Agreement and always in accordance with the lawful instructions given by the Customer from time to time, unless a specific processing activity is required by European union law or by applicable member state’s national law, in which case Paligo shall inform the Customer of the legal requirement prior to processing of the data, unless such information is prohibited on grounds of important public interest under the relevant national law.
9.3 Either Party shall be entitled to update the Instruction from time to time. Paligo shall be entitled to compensation for additional costs incurred if the Customer modifies the Instruction.
10. Sub-Processors
10.1 Paligo is granted a general authorization to engage sub-processors to process Personal Data. The Customer agrees that Paligo may engage sub-processors as listed at https://paligo.net/sub-processors (the “Sub-processor Page“) which may be updated from time to time. Paligo will inform the Customer of any plans to engage a new sub-processor and if an existing sub-processor is to be replaced, provided that the Customer has chosen to subscribe to such information. In order to subscribe to Paligo’s information on changes regarding sub-processors, please visit link in this section above. The Customer acknowledges and agrees that Paligo will only send information on sub-processors to the Customer if the Customer has chosen to subscribe to the information. Paligo encourages the Customer to subscribe to the information.
10.2 Objections shall only be made if there are objectively acceptable reasons. If the Customer objects, the parties shall endeavour to remove the objection raised. If such adjustment cannot reasonably be made within thirty (30) days of the objection, or if the adjustment is not commercially reasonable for Paligo, the Customer may opt to accept the sub-processor, otherwise either Party may immediately terminate the Agreement and this DPA. The Customer is not entitled to any remedies other than the termination right in this paragraph.
10.3 Paligo shall ensure that any sub-processor engaged by Paligo enters into a written agreement requiring the sub-processor to comply with terms no less protective than the terms of this DPA. If a sub-processor fails to fulfil its data protection obligations, Paligo remains liable to the Customer within the limitation of liability for the performance of the sub-processor’s obligations.
11. Transfer to third countries
11.1 Paligo is a legal entity established in the European Economic Area (“EEA”). However, Personal Data may be transferred by Paligo and subprocessors outside of the EEA. The Customer gives its express consent that Paligo is entitled to transfer Personal Data outside of the EEA (i) to any country subject to an adequacy decision adopted by the European Commission and/or the UK ICO (as applicable), (ii) if appropriate safeguards are put in place by entering SCCs, (iii) if an alternative transfer mechanism applies, such as the EU-US Data Privacy Framework, or (iv) in case of derogations under Article 49 of the GDPR.
11.2 The Customer can specify the location where Customer Data will be processed within the Paligo network (each a “Region”), including Regions in the EEA. Once Customer has made its choice, Paligo will not transfer Personal Data from Customer’s selected Region except as necessary to provide the Service initiated by Customer, or as necessary to comply with the law or valid and binding order of a governmental body.
11.3 If Personal Data is exported outside the EEA, UK or Switzerland (as applicable) under Section 11.1 (ii) above, the Parties agree that the SCCs shall apply as follows:
a) The EU SCCs shall apply for transfer of Personal Data protected by the GDPR, completed as follows:
i. Module Two or Module Three will apply (as applicable)
ii. In Section 7 of the EU SCC, the optional docking clause shall apply.
iii. In Section 9 of the EU SCC, option 2: General Written Authorisation shall be applied. Paligo shall provide thirty (10) days advance written notice prior to the addition or modification of subprocessors.
iv. In Section 11 of the EU SCC, the optional redress clause shall not apply.
v. In Section 17 of the EU SCC, option 1 shall apply and the SCC shall be governed by the laws of Sweden.
vi. In Section 18 of the EU SCC, the parties agree that those shall be the courts of Sweden, with the district court of Stockholm as the court of first instance.
b) The UK SCCs shall apply for transfer of Personal Data protected by the UK GDPR, completed as follows:
i. Start date shall be the date of the Agreement.
ii. The EU SCCs in section 11.3 a) above shall apply.
iii. The relevant tables in the UK SCCs shall be deemed completed with the particulars set out in Appendix 1 to this DPA.
c) The Swiss SCCs shall apply for transfer of Personal Data protected by Swiss data protection laws, completed as follows:
i. The EU SCCs shall apply to the transfer in accordance with Section 11.3 a) above.
ii. When interpreting the EU SCCs, references to the GDPR or similar shall be interpreted as a reference to Swiss data protection legislation, references to the EU, member states etc. shall be interpreted as references to Switzerland and references to competent supervisory authorities, competent courts etc. shall be interpreted as references to relevant Swiss authorities.
12. Data subject rights and information requests
12.1 If a data subject or other third-party requests information from Paligo regarding processing of Personal Data carried out on behalf of the Customer, Paligo shall refer such data subject or other third party to the Customer.
12.2 If a public authority requests such data as follows from the above clause, Paligo shall immediately notify the Customer of the request and, in consultation with the Customer, agree on an appropriate course of action.
13. Audit
13.1 Paligo shall grant the Customer access to the information which is reasonably necessary to enable the Customer to verify compliance with the obligations which follow from Article 28 of the GDPR. Paligo shall allow for and assist in audits, including inspections, which are conducted by the Customer or by a reputable auditor authorised by the Customer. Paligo shall be entitled to reasonable notice, at least 30 days in advance, in the event the Customer wishes to exercise its right to conduct an audit or inspection. The Parties will agree in writing upon the scope, timing, duration and limitations of the audit, to be carried out under normal business hours of Paligo. The Customer shall pay for all costs and expenses incurred on Paligo as a result of such an audit or inspection, including costs and fees for time spent by Paligo. The Customer is entitled to audit Paligo once a year.
13.2 The information and knowledge obtained by the Customer as a result of the audit carried out under this chapter shall be treated with confidentiality. The information and knowledge may not be used for any purpose other than to verify Paligo’s compliance with the GDPR. Any reports and findings shall be shared with Paligo. All collected information shall be deleted within one month from the date of the inspection. The Customer acknowledges and agrees that access to server halls and other such premises may not be possible to arrange in certain cases for security reasons, whereby alternative measures shall be discussed between the Parties. The audit shall not include (i) any data on other customers than the Customer and (ii) any system or facilities not involved in the processing of Personal Data.
13.3 Paligo shall ensure that the competent supervisory authority can carry out an audit in accordance with the provisions of the GDPR.
14. Remuneration
14.1 Paligo shall receive remuneration for measures that it takes in respect of the processing of Personal Data in accordance with the DPA and the Agreement.
15. Limitation of liability
15.1 The liability of Paligo under or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall be subject to the limitations and exclusions set out in the Agreement. For the avoidance of doubt, the aggregate liability of Paligo under both the Agreement and this DPA shall not exceed the liability cap set forth in the Agreement.
15.2 Paligo shall not be liable to the Customer for any loss of profit, loss of revenue, loss of anticipated savings, loss of business opportunity, loss of or damage to goodwill or reputation, or for any indirect, consequential or special damages arising out of or in connection with this DPA, whether foreseeable or not and whether or not the Party had been advised of the possibility of such damages. Paligo is not responsible for any administrative fines imposed on the Customer.
15.3 Paligo, in its capacity as a Data Processor, processes Personal Data as instructed by the Customer and is not responsible for any consequences if the Personal Data proves to be incorrect. The Customer is responsible for ensuring that the Personal Data has been collected and that the data subjects have received information in accordance with Privacy Laws and that there is a legal basis for the processing. The Customer shall indemnify and hold harmless Paligo for any damages, losses and costs incurred by Paligo as a result of the Customer’s breach of the DPA or Privacy Laws.
15.4 A Party’s right to seek subrogation from the other Party, in accordance with Article 82(5) of the General Data Protection Regulation, shall be deemed limited as set out in this Section 15.
16. Consequences of termination of the DPA
16.1 When Paligo ceases to process Personal Data on behalf of the Customer, Paligo shall return any Personal Data to the Customer in the manner notified by the Customer or, if notified by the Customer in writing, destroy and erase all Personal Data that has a connection to the Agreement.
16.2 After termination of the DPA and as soon as Paligo has complied with the clause above, Paligo’s right to process or otherwise use the Personal Data ceases (unless storage of the Personal Data is required by national legislation or EU law or Paligo has a legal basis to process relevant Personal Data).
17. Changes to the DPA
17.1 Paligo has the right to make changes, adjustments, and updates to the DPA to the extent it follows from changes in Paligo’s services, including the Service and/or changes in Privacy Laws.
18. Governing law and jurisdiction
18.1 The clauses on governing law and jurisdiction in the Agreement shall apply to this DPA.
Annex 1
Instruction
This Annex is the Instruction. It also contains the information required in SCCs (if a transfer is conducted).
2. Particulars
2.1 Data Controller
- Data Controller: Customer, as set out in the Agreement
- Address: As set out in the Agreement
- Contact person: As set out in the Agreement
- Activities relevant to the data transferred under the SCCs: use of the Service
- Data protection officer: if and as instructed by the Customer.
2.2 Data Processor
- Data Processor: Paligo, as set out in the Agreement
- Address: As set out in the Agreement
- Contact person for the agreement: As set out in the Agreement
- Contact in privacy matters: security@paligo.net
- Activities relevant to the data transferred under the SCCs: provision of the Service and support.
3. Description on processing of Personal Data and transfer of Personal Data
3.1 Customer has decided on the following particulars regarding the processing to be carried out by Paligo.
3.2 Subject matter of the processing
(a) The subject matter of Paligo’s Processing of Personal Data on behalf of the Customer is: provision of the Service, processing of Customer’s data in the Service, to create, administer and remove user accounts and support matters.
3.3 Purpose of processing
(a) The purpose of Paligo’s Processing of Personal Data on behalf of the Customer is: onboarding, user account management, provision of the Service, storage of Customer data, support.
3.4 Categories of processing
(a) The measures carried out by Paligo as part of the Processing of Personal Data on behalf of the Customer are: collection, use, structuring, storage, adaption, alteration, retrieval, transmission, alignment, combination, removal, erasure.
3.5 Categories of Personal Data
(a) The following categories of Personal Data may be processed: The Personal Data that the customer chooses to process through the Service in the Customer Data (if any) and user credentials (name, username, email address and password).
3.6 Categories of data subjects
(a) The following categories of Personal Data may be processed: The data subjects that the customer chooses to process through the Service, including employees.
3.7 Sensitive personal data
3.8 No special categories of personal data (often referred to as sensitive personal data) shall be included in the data to be processed through the Service.
3.9 Frequency of transfer
If Customer is established outside the EU/EEA, every time Customer’s user(s) login or otherwise use the Service. Otherwise occasionally, if required to provide support services and software development.
Nature of the processing
Provision of software services (the Service).
Geographic location of data storage
The Customer can specify the location where Customer Data will be processed within the Paligo network, including Regions in the EEA. Once Customer has made its choice, Paligo will not transfer Customer Data from Customer’s selected Region except as necessary to provide the Services initiated by Customer, or as necessary to comply with the law or valid and binding order of a governmental body
Purpose(s) of the data transfer and further processing
To enable provision of software services (the Service), support, customer service and thereto related matters.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
Personal data is generally processed during the term of the Agreement. In case Customer instructs Paligo to remove a particular user, the Personal Data relating to the user will be removed without undue delay.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The nature of any processing by sub-processors is to facilitate the Service. The duration is for the term of the Agreement between Paligo and the Customer.
4. Competent supervisory authority in the EU
Integritetsskyddsmyndigheten, Sweden.
5. Technical and organisational measures (TOMs)
5.1 The technical and organisational measures implemented by Paligo to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons, are described here: https://paligo.net/information-security
6. List of Sub-processors approved by Customer
6.1 The Customer agrees that Paligo may engage Sub-processors as listed at https://paligo.net/sub-processors, which may be updated from time to time.